External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-07 17:37:37 -02:30
Code Issues Packages Projects Releases Wiki Activity

add helper decorator to ensure signleton roles see the proper role list

Browse Source
This commit is contained in:
Wayne Witzel III
2016-07-01 10:38:02 -04:00
parent 47893613a2
commit 16bc0cdf0b
2 changed files with 20 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
awx/api/views.py
View File

@@ -1193,12 +1193,6 @@ class UserRolesList(SubListCreateAttachDetachAPIView):
raise PermissionDenied() raise PermissionDenied()
content_type = ContentType.objects.get_for_model(User) content_type = ContentType.objects.get_for_model(User)
sys_admin = Role.singleton(ROLE_SINGLETON_SYSTEM_ADMINISTRATOR)
sys_audit = Role.singleton(ROLE_SINGLETON_SYSTEM_AUDITOR)
if self.request.user in sys_admin or self.request.user in sys_audit:
return u.roles.all().exclude(content_type=content_type, object_id=u.id)
return Role.filter_visible_roles(self.request.user, u.roles.all()) \ return Role.filter_visible_roles(self.request.user, u.roles.all()) \
.exclude(content_type=content_type, object_id=u.id) .exclude(content_type=content_type, object_id=u.id)

20
awx/main/models/rbac.py
View File

@@ -61,6 +61,24 @@ role_descriptions = {
tls = threading.local() # thread local storage tls = threading.local() # thread local storage
def check_singleton(func):
'''
check_singleton is a decorator that checks if a user given
to a `visible_roles` method is in either of our singleton roles (Admin, Auditor)
and if so, returns their full list of roles without filtering.
'''
def wrapper(*args, **kwargs):
sys_admin = Role.singleton(ROLE_SINGLETON_SYSTEM_ADMINISTRATOR)
sys_audit = Role.singleton(ROLE_SINGLETON_SYSTEM_AUDITOR)
user = args[0]
if user in sys_admin or user in sys_audit:
if len(args) == 2:
return args[1]
return user.roles.all()
return func(*args, **kwargs)
return wrapper
@contextlib.contextmanager @contextlib.contextmanager
def batch_role_ancestor_rebuilding(allow_nesting=False): def batch_role_ancestor_rebuilding(allow_nesting=False):
''' '''
@@ -352,6 +370,7 @@ class Role(models.Model):
@staticmethod @staticmethod
@check_singleton
def visible_roles(user): def visible_roles(user):
sql_params = { sql_params = {
'ancestors_table': Role.ancestors.through._meta.db_table, 'ancestors_table': Role.ancestors.through._meta.db_table,
@@ -372,6 +391,7 @@ class Role(models.Model):
return qs return qs
@staticmethod @staticmethod
@check_singleton
def filter_visible_roles(user, roles_qs): def filter_visible_roles(user, roles_qs):
sql_params = { sql_params = {
'ancestors_table': Role.ancestors.through._meta.db_table, 'ancestors_table': Role.ancestors.through._meta.db_table,